Security policy (or collection
of policies) can be regarded as the strategy and practices concerning
confidentiality, integrity and availability of data426. A policy or set of policies cannot be created or
purchased until the company philosophy has been clearly defined.

Policies define what is to be
protected. Once policies are defined procedures are created to ensure
the policies that have been decided upon are implemented. Procedures
determine how that protection happens. Procedures should also be
in place for step-by-step instructions for abnormal events. Just as
virtually every public place has an EXIT sign as a guide in the event
of an emergency, a procedure should be written in a step-by-step manner
for what to do & how to do it in the event of negative
occurrences.

This work continues with some brief
thoughts. All readers are strongly advised to refer to RFC 2196427. Readers of this document who do or are considering
employment in the computer industry should consider studying carefully
RFC 2196 mandatory.

When developing policies and procedures,
its useful to have some familiarity with the current laws related
to computer and network security and data privacy. An overview of key
US Federal privacy laws as of 2002 can be found in Protect Your Digital
Privacy: Survival Skills for the Information Age428 by Cady and McGregor. There are more than you might
think, and worth a look  though since Security+ is not a US-specific
exam, exactly what laws apply in the US are outside the scope of the
exam.

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!